Redirect active FTP traffic to another server using iptables

Network Scheme - IP addresses are fictitious

Firewall SO: Centos 6

I recently enabled two-factor authentication, using Google Authenticator, and with that transfers via SCP for some users were impossible to carry out. So the solution I found was to transfer files via FTP (active), using VSFTP (Ubuntu 22.04 LTS). I am using active FTP due to strict network restrictions at my university (passive FTP is not allowed). I was able to successfully redirect the SSH access to the server. However, I am having difficulties with FTP. I've already tried several rules, and read a lot of documentation and tips on forums.

Firewall. Open ports:

• 22/TCP, 2222/TCP, 65020/TCP, 65021/TCP.

Internal server. Open ports:

• 20/TCP, 21/TCP, 22/TCP.

Requests received on port 22/TCP to access the firewall via SSH.

Requests received on port 2222/TCP on the firewall are redirected to port 22/TCP (SSH) on the internal server.

Requests received on port 65020/TCP on the firewall are redirected to port 20/TCP (FTP-DATA) on the internal server.

Requests received on port 65021/TCP on the firewall are redirected to port 21/TCP (FTP) on the internal server.

The following are the firewall IPTABLES rules:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 65020 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 65021 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 65020 -j DNAT --to-destination 192.168.0.2:20
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 65021 -j DNAT --to-destination 192.168.0.2:21
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.0.2:22
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Port 2222/TCP redirect works perfectly. I can access the internal server via SSH. Access via FTP is not working. I get the following message from Filezilla:

Status: Connecting to 172.17.1.212:65021... Status: Connection established, waiting for welcome message... Status: Insecure server, it does not support FTP over TLS. Status: Server does not support non-ASCII characters. Status: Logged in Status: Retrieving directory listing... Command: PWD Response: 257 "/" is the current directory Command: TYPE I Response: 200 Switching to Binary mode. Command: PORT 172,17,1,253,233,145 Response: 500 Illegal PORT command. Command: PASV Response: 227 Entering Passive Mode (192,168,0,2,56,33). Command: LIST Error: Connection timed out after 20 seconds of inactivity Error: Failed to retrieve directory listing

I've tried other rules, but I won't put them here because I don't want to clutter up the post with unnecessary information.

The "nf_conntrack_ftp" module is loaded.

# lsmod | grep ftp
nf_conntrack_ftp       12081  0 
nf_conntrack           79761  7 nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state

The IPV4 forwarding is loaded too:

# sysctl -p | grep "net.ipv4.ip_forward"
net.ipv4.ip_forward = 1

FTP access via the internal network works fine (I use Filezilla's active mode option).

Can anyone help me understand what I'm doing wrong?

My best regards.

Your problem is related to active FTP mode, it use separate connection for control and data which can cause issue with your iptables rules.

first set a range of ports in vsftpd.conf

pasv_min_port=50000
pasv_max_port=50100

then restart

sudo service vsftpd restart

then open the proper port range iptables -A INPUT -p tcp -m tcp --dport 50000:50100 -j ACCEPT

then we redirect the ports for FTP data connections from your firewall to your internal server

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 50000:50100 -j DNAT --to-destination 192.168.0.2

then finaly configure Filezilla to use passive mode instead of active mode, then it should work.